Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Exploitation of New Ivanti VPN Zero-Day Linked to Chinese Cyberspies

Google Cloud’s Mandiant has linked the exploitation of CVE-2025-0282, a new Ivanti VPN zero-day, to Chinese cyberspies.

Ivanti vulnerability exploited

Google Cloud’s Mandiant has linked the exploitation of a newly patched Ivanti VPN zero-day vulnerability to Chinese cyberspies.

Ivanti alerted customers on Wednesday that two vulnerabilities, tracked as CVE-2025-0282 and CVE-2025-0283, have been patched in its Connect Secure (ICS) VPN appliances. 

CVE-2025-0282, a critical stack-based buffer overflow that allows unauthenticated remote attackers to execute arbitrary code, has been exploited in the wild against a limited number of customers, Ivanti warned, without sharing any details on these attacks, except to say that compromise was identified using the company’s Integrity Checker Tool (ICT) and commercial security monitoring tools.

However, Mandiant, which has been working with Ivanti on investigating the attacks, revealed that exploitation has been linked to Chinese threat actors. Mandiant started seeing exploitation of CVE-2025-0282 in mid-December 2024.

Mandiant said it’s currently unable to attribute the exploitation of CVE-2025-0282 to a specific threat actor. However, the company noticed that the attackers deployed a malware family tracked as Spawn, which was previously attributed to a China-tied espionage group tracked as UNC5337.

The Spawn malware family includes the SpawnAnt installer, the SpawnMole tunneler, and an SSH backdoor named SpawnSnail. 

Mandiant believes — with medium confidence — that UNC5337 is part of UNC5221, a threat group that was previously observed exploiting Ivanti product vulnerabilities such as CVE-2023-46805 and CVE-2024-21887. Victims of those attacks included MITRE and CISA

In the attacks involving the exploitation of CVE-2025-0282, the new Ivanti ICS zero-day, Mandiant also saw previously unknown malware families, which have been named DryHook and PhaseJam. These pieces of malware have yet to be linked to a known threat group.

Advertisement. Scroll to continue reading.

“It is possible that multiple actors are responsible for the creation and deployment of these various code families (i.e. Spawn, DryHook and PhaseJam), but as of publishing this report, we don’t have enough data to accurately assess the number of threat actors targeting CVE-2025-0282,” Mandiant explained. 

In the attacks observed by Mandiant, the hackers first sent requests to the targeted appliance in an effort to determine their software version as exploitation is version specific. They then exploited CVE-2025-0282, disabled SELinux, made configuration changes, executed scripts, and deployed web shells in preparation for deploying malware.

The PhaseJam malware is a dropper designed to modify Ivanti Connect Secure components, deploying web shells, and overwriting executables to facilitate arbitrary command execution. The malware, which helps the attackers establish an initial foothold, enables them to execute commands, upload files to the appliance, and exfiltrate data. 

The DryHook malware has been used by the attackers in the post-exploitation phase of the attack to steal credentials. 

In an effort to persist across system upgrades, the attackers leveraged the SpawnAnt malware, which copies itself and its components to a special upgrade partition. In addition, the PhaseJam malware blocks system upgrades, but displays a fake upgrade progress bar to avoid raising suspicion.

Mandiant has warned that CVE-2025-0282 will likely be exploited by additional threat actors if proof-of-concept (PoC) exploits are created and made public. 

CISA on Wednesday added the Ivanti Connect Secure zero-day to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address the security hole by January 15. 

It’s worth noting that Ivanti has released patches for Connect Secure, but Policy Secure and  Neurons for ZTA gateways are also impacted and they are only set to receive patches on January 21. 

Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks

Related: Third Recent Ivanti Vulnerability Exploited in the Wild

Related: Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.